Google Glass can be hacked using Javascript

A security vulnerability in Android which allows attackers to execute arbitrary code (i.e. their own code) has been tested on Google Glass and found present. The actual vulnerability dates back to the latter part of last year when security researchers discovered that apps compiled against the Android 4.1 Jelly Bean API can exploit a bug in Javascript. The function in question is addJavascriptInterface(). It was designed to allow Java code to be accessed from within JavaScript but with a limited scope. However in API level 16 and below, it is broken. To exploit it, an app just need to create a WebView and then run code that accesses the broken JavaScript function.

Google’s official API documentation for addJavascriptInterface() has a note which recognizes that for apps compiled against the Android 4.1 SDK an attacker can manipulate the host application in unintended ways, executing Java code with the permissions of the host application.

Recently the addJavascriptInterface() test module for Metasploit, the popular open-source vulnerability testing framework, was updated to allow shell access on some versions of Android’s Browser as well as on derived browsers from Baidu and QQ. In the comments for the newly published Metasploit module, Joshua J. Drake noted that “code execution works on my Google Glass XE12 too.”

The problem is that on Android many free apps use a WebView to load HTML content (e.g. the developers website, instructions and even advertising) and if that HTML content can be altered in someway using a man-in-the-middle attack or by using malicious JavaScript in an advert then the WebView can be forced to execute the attacker’s code. Theoretically the same thing can happen on Google Glass.

According to a report published towards the end of last year by security company MWR Labs, a large number of the SDK’s used by advertising networks are vulnerable to exploitation.

[quote qtext=”We have analysed a large number of advertising network SDK’s and found that a lot of these implement bridges that are vulnerable to exploitation. Some advertising network SDK’s obtained from the advertising networks directly were found to not be vulnerable (in their most recent versions). However a lot of applications on the ‘Google Play Store’ were found to be using old versions of the SDK’s, which are vulnerable.” qperson=” MWR Labs” qsource=”” qposition=”center”]

It would be interesting to see a similar analysis for Google Glass.

When watching a Hollywood blockbuster you may sometimes have scoffed at how easily the hackers or the government agents can hack into smartphones, but actually it might be easier than you think!